Not that it helps you Dave, but I could see it fine (albeit it took an absolute age to load). So - BKBK - perhaps the perms are set for some users but not others?

Or Dave, are you clicking just from the email from the forums? I went into the web UI and clicked the link from there (so I was alrady authenticated before clicking the link)?

I was clicking the link in the email, rather than going into the forums and clicking from there. Once I did that I could see it just fine, so there's no permissions issue.

BKBK, on first glance, I must say that you have certainly put a lot of effort into this. Probably more than it really deserves, since I can't really pay you for that effort. But in the end, I still disagree. I will try to address the core of this disagreement after my noon deadline, but for now, suffice it to say that I don't think we agree on what "equivalence" means, and the reduceability of words to logical operands.

All that said, I congratulate you on the most thorough response I've ever seen to a forum post.

Not that it helps you Dave, but I could see it fine (albeit it took an absolute age to load). So - BKBK - perhaps the perms are set for some users but not others?

Or Dave, are you clicking just from the email from the forums? I went into the web UI and clicked the link from there (so I was alrady authenticated before clicking the link)?

I was clicking the link in the email, rather than going into the forums and clicking from there. Once I did that I could see it just fine, so there's no permissions issue.

BKBK, on first glance, I must say that you have certainly put a lot of effort into this. Probably more than it really deserves, since I can't really pay you for that effort. But in the end, I still disagree. I will try to address the core of this disagreement after my noon deadline, but for now, suffice it to say that I don't think we agree on what "equivalence" means, and the reduceability of words to logical operands.

All that said, I congratulate you on the most thorough response I've ever seen to a forum post.

Agree with everything you say there, the most important bit being how good the doc is (TBH, I didn't read it all - I'm at work - but I will later).

My point of contention is this... what BKBK initially said was this:

BKBK wrote:

12Robots wrote:

The random string is not meant to make the token more unique, it is meant to make it random.

Actually, more unique means random!

So was making a connection between uniqueness and randomness being related.

And this is what Jason, Dave and I have been disagreeing with. "Unique" does not mean "random", and "random" does not mean "unique".

BKBK also said this:

In the above context (of CFToken) uniqueness and randomness are synonymous.

This is not correct either. I would accept that "in the context of a CFToken value, either approach would be OK for all intents and purposes", but that's not the same as them being synonymous. They are still distinct concepts (I think we can all agree on that), it's just that either concept will suitably meet the requirement CFToken has.

And that's what the doc seems to discuss: that for the purpose of a CFTOKEN value, a random value will be - for all intents and purposes - as good as a specifically unique value.

I don't think anyone would quibble with that.

Indeed this all started with me questioning the merit of adding an additional random element to a UUID to construct the CFToken value, because it seems like pointless egregiousness (if that's a word). The UUID by itself already fulfils the requirement, and has the benefit of being an-industry-accepted approach to such things. What Adobe seems to have done is to invent their own little solution, where the industry-accepted solution is already just fine. And that - IMO - is a bit thick of them.

I don't think Adobe is being thick at all. Nor are they going against any industry standard.

Session tokens need to be unique and sufficiently random. CF's UUIDs provide the uniqueness and the Random long integer at the end provides the sufficient randomness. I believe you said earlier in your thread that based on what you saw in the source code that the CF UUID by itself provided abotu 96-bits of randomness (Do any of us have any idea what the entropy limitations are on that method, cause that could reduce the bits of randomness).

I don't think Adobe is being thick at all. Nor are they going against any industry standard.

Session tokens need to be unique and sufficiently random. CF's UUIDs provide the uniqueness and the Random long integer at the end provides the sufficient randomness. I believe you said earlier in your thread that based on what you saw in the source code that the CF UUID by itself provided abotu 96-bits of randomness (Do any of us have any idea what the entropy limitations are on that method, cause that could reduce the bits of randomness).